From 26b1fe52aff414550e23a2a41b9a7d78b4069dad Mon Sep 17 00:00:00 2001 From: Nicholas Molnar <65710+neekolas@users.noreply.github.com> Date: Wed, 14 Aug 2024 17:33:02 -0700 Subject: [PATCH] Upload key package before publishing identity updates (#962) ### TL;DR Implements parts of https://github.com/xmtp/xmtp-node-go/issues/399 - Uses `UploadKeyPackage` instead of `RegisterInstallation` so we can deprecate the register installation endpoint - Uploads key package _before_ publishing the identity updates for new installations. This ensures that any installation seen in an identity update must have a matching key package. - No longer checks the lifetime of key packages when verifying ## AI Assisted Summary ### What changed? - Removed expiration checks and set expiration to 0 in MLS validation service - Updated the client registration process to register identity before applying signature request - Renamed `register_installation` to `upload_key_package` in API client calls - Removed lifetime validity checks from key package verification --- mls_validation_service/src/handlers.rs | 5 +- xmtp_api_grpc_gateway/Cargo.lock | 106 ++++++++---------------- xmtp_mls/src/client.rs | 15 ++-- xmtp_mls/src/identity.rs | 8 +- xmtp_mls/src/verified_key_package.rs | 3 - xmtp_mls/src/verified_key_package_v2.rs | 4 - 6 files changed, 50 insertions(+), 91 deletions(-) diff --git a/mls_validation_service/src/handlers.rs b/mls_validation_service/src/handlers.rs index f1e2128df..f32579016 100644 --- a/mls_validation_service/src/handlers.rs +++ b/mls_validation_service/src/handlers.rs @@ -198,7 +198,8 @@ async fn validate_inbox_id_key_package( error_message: "".into(), credential: Some(kp.credential), installation_public_key: kp.installation_public_key, - expiration: kp.inner.life_time().not_after(), + // We are deprecating the expiration field and key package lifetimes, so stop checking for its existence + expiration: 0, }) } @@ -377,7 +378,7 @@ fn validate_key_package(key_package_bytes: Vec) -> Result Result<(), ClientError> { log::info!("registering identity"); - self.apply_signature_request(signature_request).await?; - let connection = self.store().conn()?; - let provider = self.mls_provider(connection); + // Register the identity before applying the signature request + let provider = self.mls_provider(self.store().conn()?); self.identity() .register(&provider, &self.api_client) .await?; + self.apply_signature_request(signature_request).await?; + Ok(()) } diff --git a/xmtp_mls/src/identity.rs b/xmtp_mls/src/identity.rs index 6a98a2f97..bb40eee84 100644 --- a/xmtp_mls/src/identity.rs +++ b/xmtp_mls/src/identity.rs @@ -269,9 +269,8 @@ impl Identity { .await?, )) .await?; - let identity_update = signature_request.build_identity_update()?; - api_client.publish_identity_update(identity_update).await?; + // Make sure to register the identity before applying the signature request let identity = Self { inbox_id: inbox_id.clone(), installation_keys: signature_keys, @@ -281,6 +280,9 @@ impl Identity { identity.register(provider, api_client).await?; + let identity_update = signature_request.build_identity_update()?; + api_client.publish_identity_update(identity_update).await?; + Ok(identity) } else { if inbox_id != generate_inbox_id(&address, &nonce) { @@ -424,7 +426,7 @@ impl Identity { } let kp = self.new_key_package(provider)?; let kp_bytes = kp.tls_serialize_detached()?; - api_client.register_installation(kp_bytes, true).await?; + api_client.upload_key_package(kp_bytes, true).await?; Ok(StoredIdentity::from(self).store(provider.conn_ref())?) } diff --git a/xmtp_mls/src/verified_key_package.rs b/xmtp_mls/src/verified_key_package.rs index 83b7f89bd..fc6e7a168 100644 --- a/xmtp_mls/src/verified_key_package.rs +++ b/xmtp_mls/src/verified_key_package.rs @@ -70,9 +70,6 @@ impl VerifiedKeyPackage { ), ); } - if !kp.life_time().is_valid() { - return Err(KeyPackageVerificationError::InvalidLifetime); - } Ok(Self::new(kp, account_address)) } diff --git a/xmtp_mls/src/verified_key_package_v2.rs b/xmtp_mls/src/verified_key_package_v2.rs index b3cfc63a2..8b29b6504 100644 --- a/xmtp_mls/src/verified_key_package_v2.rs +++ b/xmtp_mls/src/verified_key_package_v2.rs @@ -75,10 +75,6 @@ impl TryFrom for VerifiedKeyPackageV2 { let pub_key_bytes = leaf_node.signature_key().as_slice().to_vec(); let credential = MlsCredential::decode(basic_credential.identity())?; - if !kp.life_time().is_valid() { - return Err(KeyPackageVerificationError::InvalidLifetime); - } - Ok(Self::new(kp, credential, pub_key_bytes)) } }